Control: 2.1 Ensure that ActionTrail are configured to export copies of all Log entries
Description
ActionTrail is a web service that records API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the Alibaba Cloud service. ActionTrail provides a history of API calls for an account, including API calls made via the Management Console, SDKs, command line tools.
Remediation
Perform the following to enable global (Multi-region) ActionTrail logging:
From Console
- Logon to ActionTrail Console.
- Click on
Trailson the left navigation pane. - Click
Add new trail.- Enter a trail name in the
Trail name box. - Set
YesforApply Trail to All Regions. - Specify an OSS bucket name in the OSS bucket box.
- Specify an SLS project name in the SLS project box.
- Click
Create.
- Enter a trail name in the
From Command Line
aliyuncli actiontrail CreateTrail --Name <trail_name> --OssBucketName <oss_bucket_for_actiontrail> --RoleName aliyunactiontraildefaultrole --SlsProjectArn <sls_project_arn_for_actiontrail> --SlsWriteRoleArn <sls_role_arn_for_actiontrail> --EventRW <api_type_for_actiontrail>
aliyuncli actiontrail UpdateTrail --Name <trail_name> --OssBucketName <oss_bucket_for_actiontrail> --RoleName aliyunactiontraildefaultrole --SlsProjectArn <sls_project_arn_for_actiontrail> --SlsWriteRoleArn <sls_role_arn_for_actiontrail> --EventRW <api_type_for_actiontrail>
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v100_2_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v100_2_1 --shareSQL
This control uses a named query:
select 'acs:actiontrail:' || home_region || ':' || account_id || ':actiontrail/' || name as resource, case when trail_region = 'All' and oss_bucket_name is not null and sls_project_arn is not null then 'ok' else 'alarm' end as status, case when trail_region = 'All' and oss_bucket_name is not null and sls_project_arn is not null then name ' is configured to export copies of all log entries' else name ' is not configured to export copies of all log entries' end as reason , account_id as account_id, region as regionfrom alicloud_action_trail;